Codes of Ethics for Security Professionals

Thursday, 24 November 2011

This is a very basic look at how Nmap scans appear in a
Wireshark capture file.

Nmap SYN Scan

Usage: nmap -sS 192.168.56.101

Nmap sends a packet with the SYN flag set and the target host will reply with a SYN,ACK packet if the port is open and a RST,ACK packet if the port is closed. Nmap does not complete the full TCP connection if the port is open.

The image below shows this process with the SYN bit set in the packet. The SYN scan is visually easy to spot because of the repeated SYN packets sent to the same host as represented by the grey lines in the image. The target host responds with numerous RST,ACK packets all to the same host.

Image of Nmap SYN scan

Nmap TCP Connect Scan

Usage: nmap -sT 192.168.56.101 The TCP Connect Scan completes the full TCP handshake if the particular service is running as shown in the image below.

Image of Nmap Connect Scan

If the service is not running then a RST/ACK is received. Visually the pcap will show repeated SYN messages sent to a target host and its clear ports and services are being numerated.

Nmap Null Scan

Usage:nmap -sN 192.168.56.101

In this scan packets with no flags set are sent to the target. As with the other scans mentioned on this page it is quite easy to spot this type of scan. The tell tale signs of repeated messages very quickly sent to the same host are illustrated in the image below:

Image of Nmap Null Scan

If nmap receives a RST,ACK packet from a null scan it will consider the port to be closed.

Nmap Scan using Timing Options

Usage: nmap -sA -T1 [options 0,1,2,3,4,5] 192.168.56.101

The image below shows an ACK scan using a timing interval option. The ACK scan is less visible because it is dispersed amongst normal traffic. The relevant packets are numbered 58 and 59.